>> From the ARIA Resort in Las Vegas, it's theCUBE. Covering AWS Marketplace. Brought to you by Amazon Web Services. >> Hey, welcome back here everybody Jeff Frick here with theCUBE. We are at AWS re:Invent 2018 wrapping up day one. We're going to do four days of coverage. We have four sets, three locations. But we're kicking things off here at the AWS Marketplace and Service Catalog event here at the ARIA. We're excited to be joined by our next guest, first time on theCUBE, but he's been working on the security stuff for a long time. He's Brandon Traffanstedt, he's the Global Director of System Engineering for CyberArk. Brandon, great to see you. >> Thank you very much. Glad to be here. >> Absolutely. So we started the conversation first off let's just give us the quick overview of CyberArk for people who are unfamiliar with the company. >> Definitely. So CyberArk does privilege access security, and that is the vaulting rotation in management of incredibly powerful accounts. Both traditional ones, the domain admin, to ones that exist in a more femoral, or cloud state. Access key, secret key pairs, route access into your console. So our goal is to take those out of the minds of users, out of those spreadsheets, out of hard coded code stacks. Place them in a secure location, rotate them, and then provide secure access to people as well as non people too. >> So you really segregate the privilege access as a very different category than just any regular user of kind of admin type of person. >> Absolutely. Though the focus is key. When we look the general spectrum of accounts in an organization, yes you've got the lower ones that are identity driven. Attackers might use those to get in, but really the creamy, nuggety center are those high value credentials. It's what brings down organizations. It's what we see involved in breaches every single day. So the focus there on those powerful ones is what gets us the most security posture increase with the least amount of effort. >> You know, it's interesting. 'Cause I always think of security as kind of like insurance. You can't absolutely be 100% positively. You can't spend every nickel you have on security, but you want to have a good ROI. So what you're saying, really, is this is a really good ROI investment from your security investment because these are really the crown jewels that you need to protect first. >> Absolutely. And like insurance, we often want to plan for the absolute worst to occur. There have been breaches in the past where yes, there were dollars that were spent on things like remediation, but if you have a huge customer base, even the postage alone to notify folks that you've had a compelling event tends to up into the seven figures. >> I never even thought of that. It's not a trivial expense. >> Absolutely. >> So, you said you've been doing this for 20 years, so a lot of change. There was no AWS re:Invent 20 years ago. There was not cloud computing as we know it today. So, you know we'll talk about kind of the current state but I'd love to get more kind of your historical perspective, you know being a security export, how your challenges have changed as this kind of continual escalation of war, accounting of strike counters strike. I'm thinking of MAD Magazine's Spy vs Spy, right, has continued to escalate over these 20 years. >> Definitely. So, years and years ago organizations were very monolithic from both the application side as well as their more kind of human focused infrastructure. Right, we had one or two domain controllers. Typically physical systems. But what happened is, the architecture broke down. So what, 10 years ago virtualization was the big thing, right. Same types of accounts, but more systems. More automation flows. So as we replaced humans with non humans, what happened was, more human users got over privileged, right? They were empowered to get their jobs done. But we had more and more robots that began doing their work. So one of the things that we saw, was the breaking down of the applications stacks to the point that we are now, you can spin up thousands of instances in a matter of clicks over a matter of seconds. Move that into a more micro services model, and you now have tens of thousands of nodes that can exist in the blink of an eye. All having the same type of access restrictions but just being far more distributed. >> Right. And so many more tax services with IOT, and all these things all over the place. And so, much more complex environment. >> Definitely. One of the things about all this beautiful automation and centralization that's occurring, is that now attackers don't have to go through that same type of flow they used to, right. Compromise an in user, escalate privilege on a laptop for instance, move laterally and continue to perform that dance. Now, all it takes is one compromise into your cloud management console for instance. And a lot of times that's game over. Our attacker is also changing a little bit. So I'm proud to say, but I'm a millennial and the thing about millennials is we tend to be very, some would say lazy, but I would say efficient in how we perform tasks. So for me, performing that lateral movement verses a one stop shop for a public effacing entity, I'm going to choose the one stop shop. >> Very true. So one of the hot topics in today's world is RPA, robotic process automation. We are at Automation Anywhere, we are at the UiPath Show this year, it's getting a lot of buzz. Both those companies have raised a ton of money. Hot, hot, hot space. It adds a whole new level of complexity and opportunity on the security side. So how should people be thinking about RPA and security? >> So when it comes to RPA, one of the things that is simply parr for the course, is that in order for robots to do their jobs, to build this automation that folks are looking for, they've got to authenticate this stuff. A lot of times we'll see that authentication happen as kind of an isolated secret that's stored, say inside of Automation Anywhere for instance. The goal there is, well we can rotate it, maybe, but now we have to update it here and there and a number of other spots. So one thing that we see as being a very prevalent theme is well let's find a centralized and secure source to manage them, and allow the robotic process automation to authenticate securely to that entity, pull the secrets as they need. Now, we can rotate that as many as what, ten, twelve times a day if we wanted to without our RPA missing a beat. At CyberArk we have what's called a C cubed alliance where we brought together a number of RPA vendors. All the ones that you mentioned. As well as other automation platforms, security vendors too. To where you don't have to do the work of integrating. It's already there and it's been built. And we're taking a huge direction from our customer base there to tell us what's hot, what's new for them. To let us proper those conversations. >> Because the robots are actually treated inside the system I believe, as like a person right? It's kind of like your own personal assistant. So in terms of the identity and the access, it's managed very much as if it was just a new hire. >> For sure. And if you look at it for instance using something like another automation platform like Jenkins. Jenkins is personified by a butler. Jenkins' task is to go out and perform all these tasks for you. But I'll submit to you if I were to offer you, hey Brandon, you can come to my house, vacuum my floor every Friday, that sounds like a pretty good deal. Especially if it's an open source. If I do it for you for free. But you encounter risk by giving me the keys to your house. The same is true for those automation platforms. A lot of times we divorce that robot from a human so we don't do the same level of due diligence to give the robot an identity to instantiate lease privilege. It's one of the things we've seen be a very huge theme in successful customer deployments. As well as automating their security too. >> Well at least they're not going to give away the security when someone calls up and says can you please give me the URL for the company picnic. I can't get in, you got to help me out. Hopefully they didn't train the robots to answer that question and let that social engineering enter. Is there social engineering for RPA? >> There is. When you look at RPA or even code that exists in public repositories, one of the quickest attacks you can do is to GitHub, search for your secret of choice. Maybe it's Postgres, maybe it's a vendor name underscore secret. If you sort that code by recent commits, you'll find people's hardcoded secrets that exist inside of public repositories. It's not because our developers are malicious. It's because it wasn't top of mind for them. They didn't have a more compelling solution. So that's one of the quickest attacks and I think that's social engineering. It could be as easy as compromising as say, one of your AWS administrators who happens to have a privileged key in a text file on his desktop. Same is also true there. >> Right Brandon, so we're here at the AWS Marketplace experience. Share with us a little bit about how you work with AWS Marketplace and what's that meant for your company. You've been around for 20 years. So you didn't need them to get started, but how are they helping you change your business? >> So one of the things that has been very top of mind for us over the past couple of years is supporting the community. In many cases folks will come to us with a project. Whether it be post breach mediation, audit compliance; whatever it may be, they have some indicator of moving forward. A lot of times when developers are building out processes, they may not be the driver from the business so the goal was we need to be able to support the community to provide open source secrets managements and do so very quickly. So there doesn't need to be a project or a red tape. AWS Marketplace has helped us provide our open source solution in a beautifully deployed package to as many folks as possible, so that at least they have some secure place to store those secrets without altering the way they do things. If they have to go outside of the Marketplace flows that they're used to, it's extra work. And we never want security to be a constraint to building good, quality automation development practices. >> Right. And how's Amazon been as a partner? There's a lot out there, be careful, they're going to see what you do and copy it and knock you out of business. How have they been working with as a partner? >> They've been fantastic. Highly supportive from both the programmatic secrets management perspective but also in providing best practices for how to deploy our core stack into AWS. How to handle things like auto scaling. As well as providing some APIs to extend our secrets management capability based on customer ASPs on both sides. >> Alright Brandon, well thank you for taking a few minutes. I'm sure we're both going to be dog tired in a couple of days. >> We can hope so, yeah. >> So we started while we were fresh. So I appreciate you taking a few minutes and stopping by. >> Always a pleasure. Thank you again for the invite. >> All right, he's Brandon, I'm Jeff. You're watching theCUBE. We're at AWS Marketplace and Service Catalog Experience here at the ARIA. Thanks for watching. See ya next time. (upbeat music)